Package: wine Version: 5.0-4 Severity: important Hello.
Recently we hit a buffer overflow in wine_5.0-4. There is was a mkdir error while creating "/run/$UID! /wine" dir when running winecfg. The error was produced by wineserver32. Take a look to strange "! " part after $UID - this looks like missing \0 symbol in C char*. Our $UIDs are produced by sssd which is joined to Active Directory domain. $UID length is 10 chars. I looked to "fixes/temporary-directory.patch" and found wrong usage of sizeof(). Patch attached for "debian/5.0-4" tag (bullseye branch). It's also available at salsa [1] however MRs are disabled for wine-team/wine project so I was unable to submit it. [1] https://salsa.debian.org/nE0sIghT-guest/wine/-/commit/7867f27a582b3665844efcadc8003253ddebff9d
>From 7867f27a582b3665844efcadc8003253ddebff9d Mon Sep 17 00:00:00 2001 From: Yuri Konotopov <ykonoto...@gnome.org> Date: Mon, 5 Oct 2020 21:47:00 +0400 Subject: [PATCH] Fix buffer overflow in fixes/temporary-directory.patch Signed-off-by: Yuri Konotopov <ykonoto...@gnome.org> --- .../patches/fixes/temporary-directory.patch | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/debian/patches/fixes/temporary-directory.patch b/debian/patches/fixes/temporary-directory.patch index 358ae18709..d7a48b3d5f 100644 --- a/debian/patches/fixes/temporary-directory.patch +++ b/debian/patches/fixes/temporary-directory.patch @@ -4,8 +4,10 @@ bug-debian: https://bugs.debian.org/903622 bug-debian: https://bugs.debian.org/904041 bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013 ---- a/libs/wine/config.c -+++ b/libs/wine/config.c +Index: wine/libs/wine/config.c +=================================================================== +--- wine.orig/libs/wine/config.c ++++ wine/libs/wine/config.c @@ -25,6 +25,7 @@ #include <stdarg.h> #include <stdlib.h> @@ -63,8 +65,8 @@ bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013 + } + else + { -+ const char *tmp_default = "/tmp"; -+ tmp_dir = xmalloc( sizeof(tmp_default) + 1 ); ++ const char tmp_default[] = "/tmp"; ++ tmp_dir = xmalloc( sizeof(tmp_default) ); + strcpy( tmp_dir, tmp_default ); + } + @@ -138,8 +140,10 @@ bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013 server_dir = xmalloc( strlen(root) + sizeof(server_dir_prefix) + 2*sizeof(dev) + 2*sizeof(ino) + 2 ); strcpy( server_dir, root ); ---- a/server/request.c -+++ b/server/request.c +Index: wine/server/request.c +=================================================================== +--- wine.orig/server/request.c ++++ wine/server/request.c @@ -21,6 +21,7 @@ #include "config.h" #include "wine/port.h" @@ -166,7 +170,7 @@ bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013 /* create the server directory and chdir to it */ static char *create_server_dir( int force ) { -+ const char *server_root_prefix = "/run/user"; ++ const char server_root_prefix[] = "/run/user"; const char *prefix = getenv( "WINEPREFIX" ); - char *p, *config_dir; + char *p, *config_dir, *run_dir; @@ -181,13 +185,13 @@ bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013 - if (!(server_dir = malloc( len ))) fatal_error( "out of memory\n" ); - sprintf( server_dir, "/tmp/.wine-%u", getuid() ); + /* use /run/user/$uid as wineserver's tmpdir by default */ -+ if (!(run_dir = malloc( sizeof(server_root_prefix) + 12 ))) ++ if (!(run_dir = malloc( sizeof(server_root_prefix) + 13 ))) + fatal_error( "out of memory\n" ); + sprintf( run_dir, "%s/%u", server_root_prefix, getuid() ); + + if (opendir( run_dir )) /* use /run as the temporary directory */ + { -+ len += sizeof(server_root_prefix) + 17; ++ len += strlen(run_dir) + 6; + if (!(server_dir = malloc( len ))) + fatal_error( "out of memory\n" ); + sprintf( server_dir, "%s/wine", run_dir ); -- GitLab
